npm - @groundnuty/macf - Versions diffs - 0.2.0-rc.0 - Mend

@groundnuty/macf 0.2.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (124) hide show

package/dist/.build-info.json +4 -0
package/dist/cli/build-info.d.ts +38 -0
package/dist/cli/build-info.d.ts.map +1 -0
package/dist/cli/build-info.js +119 -0
package/dist/cli/build-info.js.map +1 -0
package/dist/cli/claude-sh.d.ts +42 -0
package/dist/cli/claude-sh.d.ts.map +1 -0
package/dist/cli/claude-sh.js +247 -0
package/dist/cli/claude-sh.js.map +1 -0
package/dist/cli/commands/cd.d.ts +6 -0
package/dist/cli/commands/cd.d.ts.map +1 -0
package/dist/cli/commands/cd.js +17 -0
package/dist/cli/commands/cd.js.map +1 -0
package/dist/cli/commands/certs.d.ts +33 -0
package/dist/cli/commands/certs.d.ts.map +1 -0
package/dist/cli/commands/certs.js +233 -0
package/dist/cli/commands/certs.js.map +1 -0
package/dist/cli/commands/doctor.d.ts +91 -0
package/dist/cli/commands/doctor.d.ts.map +1 -0
package/dist/cli/commands/doctor.js +235 -0
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/init.d.ts +37 -0
package/dist/cli/commands/init.d.ts.map +1 -0
package/dist/cli/commands/init.js +279 -0
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/list.d.ts +5 -0
package/dist/cli/commands/list.d.ts.map +1 -0
package/dist/cli/commands/list.js +21 -0
package/dist/cli/commands/list.js.map +1 -0
package/dist/cli/commands/migrate-ca-key.d.ts +36 -0
package/dist/cli/commands/migrate-ca-key.d.ts.map +1 -0
package/dist/cli/commands/migrate-ca-key.js +92 -0
package/dist/cli/commands/migrate-ca-key.js.map +1 -0
package/dist/cli/commands/peers.d.ts +8 -0
package/dist/cli/commands/peers.d.ts.map +1 -0
package/dist/cli/commands/peers.js +45 -0
package/dist/cli/commands/peers.js.map +1 -0
package/dist/cli/commands/repo-init.d.ts +43 -0
package/dist/cli/commands/repo-init.d.ts.map +1 -0
package/dist/cli/commands/repo-init.js +304 -0
package/dist/cli/commands/repo-init.js.map +1 -0
package/dist/cli/commands/rules-refresh.d.ts +14 -0
package/dist/cli/commands/rules-refresh.d.ts.map +1 -0
package/dist/cli/commands/rules-refresh.js +67 -0
package/dist/cli/commands/rules-refresh.js.map +1 -0
package/dist/cli/commands/self-update.d.ts +14 -0
package/dist/cli/commands/self-update.d.ts.map +1 -0
package/dist/cli/commands/self-update.js +112 -0
package/dist/cli/commands/self-update.js.map +1 -0
package/dist/cli/commands/status.d.ts +9 -0
package/dist/cli/commands/status.d.ts.map +1 -0
package/dist/cli/commands/status.js +90 -0
package/dist/cli/commands/status.js.map +1 -0
package/dist/cli/commands/update.d.ts +25 -0
package/dist/cli/commands/update.d.ts.map +1 -0
package/dist/cli/commands/update.js +316 -0
package/dist/cli/commands/update.js.map +1 -0
package/dist/cli/config.d.ts +103 -0
package/dist/cli/config.d.ts.map +1 -0
package/dist/cli/config.js +224 -0
package/dist/cli/config.js.map +1 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +245 -0
package/dist/cli/index.js.map +1 -0
package/dist/cli/plugin-fetcher.d.ts +20 -0
package/dist/cli/plugin-fetcher.d.ts.map +1 -0
package/dist/cli/plugin-fetcher.js +83 -0
package/dist/cli/plugin-fetcher.js.map +1 -0
package/dist/cli/prompt.d.ts +17 -0
package/dist/cli/prompt.d.ts.map +1 -0
package/dist/cli/prompt.js +109 -0
package/dist/cli/prompt.js.map +1 -0
package/dist/cli/registry-helper.d.ts +11 -0
package/dist/cli/registry-helper.d.ts.map +1 -0
package/dist/cli/registry-helper.js +18 -0
package/dist/cli/registry-helper.js.map +1 -0
package/dist/cli/rules.d.ts +39 -0
package/dist/cli/rules.d.ts.map +1 -0
package/dist/cli/rules.js +112 -0
package/dist/cli/rules.js.map +1 -0
package/dist/cli/settings-writer.d.ts +97 -0
package/dist/cli/settings-writer.d.ts.map +1 -0
package/dist/cli/settings-writer.js +270 -0
package/dist/cli/settings-writer.js.map +1 -0
package/dist/cli/version-resolver.d.ts +73 -0
package/dist/cli/version-resolver.d.ts.map +1 -0
package/dist/cli/version-resolver.js +238 -0
package/dist/cli/version-resolver.js.map +1 -0
package/dist/index.d.ts +19 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +22 -0
package/dist/index.js.map +1 -0
package/dist/plugin/bin/macf-plugin-cli.d.ts +13 -0
package/dist/plugin/bin/macf-plugin-cli.d.ts.map +1 -0
package/dist/plugin/bin/macf-plugin-cli.js +127 -0
package/dist/plugin/bin/macf-plugin-cli.js.map +1 -0
package/dist/plugin/lib/format.d.ts +40 -0
package/dist/plugin/lib/format.d.ts.map +1 -0
package/dist/plugin/lib/format.js +137 -0
package/dist/plugin/lib/format.js.map +1 -0
package/dist/plugin/lib/health.d.ts +2 -0
package/dist/plugin/lib/health.d.ts.map +1 -0
package/dist/plugin/lib/health.js +6 -0
package/dist/plugin/lib/health.js.map +1 -0
package/dist/plugin/lib/index.d.ts +7 -0
package/dist/plugin/lib/index.d.ts.map +1 -0
package/dist/plugin/lib/index.js +5 -0
package/dist/plugin/lib/index.js.map +1 -0
package/dist/plugin/lib/registry.d.ts +18 -0
package/dist/plugin/lib/registry.d.ts.map +1 -0
package/dist/plugin/lib/registry.js +17 -0
package/dist/plugin/lib/registry.js.map +1 -0
package/dist/plugin/lib/work.d.ts +13 -0
package/dist/plugin/lib/work.d.ts.map +1 -0
package/dist/plugin/lib/work.js +27 -0
package/dist/plugin/lib/work.js.map +1 -0
package/package.json +43 -0
package/plugin/rules/coordination.md +224 -0
package/scripts/check-gh-token.sh +102 -0
package/scripts/macf-gh-token.sh +130 -0
package/scripts/macf-whoami.sh +51 -0
package/scripts/tmux-send-to-claude.sh +51 -0
package/scripts/write-build-info.mjs +48 -0

package/dist/cli/settings-writer.js ADDED Viewed

@@ -0,0 +1,270 @@
+/**
+ * Merge-preserving writer for `<workspace>/.claude/settings.json`.
+ *
+ * Per #140, the attribution-trap PreToolUse hook (`check-gh-token.sh`)
+ * needs a settings.json entry to actually fire. Workspaces may have
+ * operator-authored settings there already (other hooks, env vars,
+ * model preferences) — this module reads the existing JSON (default
+ * `{}`), installs the MACF hook entry, and writes back without
+ * clobbering unrelated keys.
+ *
+ * Identification of MACF-managed entries is by command-string match
+ * on the hook script's filename (`check-gh-token.sh`). A stale entry
+ * from an older CLI version is refreshed in place; non-MACF entries
+ * and other hook event types (SessionStart, Stop, etc.) are preserved
+ * verbatim.
+ *
+ * Malformed settings.json throws — we refuse to silently overwrite
+ * bad JSON because that would erase user content if they hand-edited
+ * broken syntax.
+ */
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+/**
+ * The command path written into settings.json. Workspace-relative so
+ * it matches what `copyCanonicalScripts` places at
+ * `<workspace>/.claude/scripts/check-gh-token.sh`.
+ */
+export const MACF_HOOK_COMMAND = '.claude/scripts/check-gh-token.sh';
+/**
+ * The hook filename used to identify MACF-managed entries on refresh.
+ * Matched by path-end equality (see isMacfManagedCommand) so operator
+ * files with a similar-but-distinct basename are not misclassified.
+ */
+const MACF_HOOK_FILENAME = 'check-gh-token.sh';
+/**
+ * True iff the command string represents our managed hook — i.e. the
+ * command invokes a file whose basename equals MACF_HOOK_FILENAME
+ * (ignoring any trailing flags/arguments). Defensive against
+ * operator-authored commands that happen to contain our filename as a
+ * substring (e.g. `./my-check-gh-token.sh-wrapper --flag`).
+ */
+function isMacfManagedCommand(command) {
+    // Take the program path (first whitespace-delimited token), then
+    // extract its basename. `/a/b/check-gh-token.sh --v2` → `check-gh-token.sh`.
+    const program = command.trim().split(/\s+/)[0] ?? '';
+    const slash = program.lastIndexOf('/');
+    const basename = slash >= 0 ? program.slice(slash + 1) : program;
+    return basename === MACF_HOOK_FILENAME;
+}
+function readSettings(path) {
+    if (!existsSync(path))
+        return {};
+    const raw = readFileSync(path, 'utf-8');
+    try {
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        throw new Error(`Refusing to overwrite malformed .claude/settings.json at ${path}: ${err.message}. ` +
+            `Fix the JSON by hand, then re-run the command.`, { cause: err });
+    }
+}
+/**
+ * Permission patterns pre-approving the 4 `macf-agent` plugin skills.
+ * Without these, every first invocation of a skill (e.g. `/macf-status`
+ * during the SessionStart auto-pickup hook) fires an interactive
+ * approval dialog — blocking autonomy for the time operator takes to
+ * click through. See macf#189 sub-item 2 (bilateral e2e demo friction
+ * point: operator had to approve 4-5 dialogs per fresh workspace).
+ *
+ * Concrete patterns (not a wildcard `Skill(macf-agent:*)`): operator
+ * deliberately installed the plugin at v0.1.N, so pre-trusting THE
+ * SKILLS CURRENTLY KNOWN TO EXIST at this CLI version is safe. A
+ * future plugin version adding new skills would need a `macf update`
+ * run — which refreshes these patterns from the updated constant —
+ * before the new skills auto-approve. Wildcard would auto-approve
+ * anything shipped under the plugin namespace including future
+ * unreviewed additions; we opt out of that security posture.
+ *
+ * Keep in lockstep with the 4 skills shipped by
+ * `groundnuty/macf-marketplace/macf-agent/skills/`. When plugin adds
+ * a skill, add its pattern here + bump CLI version.
+ */
+export const PLUGIN_SKILL_PERMISSIONS = [
+    'Skill(macf-agent:macf-status)',
+    'Skill(macf-agent:macf-issues)',
+    'Skill(macf-agent:macf-peers)',
+    'Skill(macf-agent:macf-ping)',
+];
+/**
+ * Sandbox filesystem read-allow pattern for Claude Code's Bash-tool
+ * harness. Every Bash invocation's spawned shell reads `/proc/self/fd/3`
+ * (or higher fds in future builds) for stdin / command-input passed
+ * by the harness. Without this pattern in the sandbox allowlist, the
+ * read is denied → `zsh:4: permission denied: /proc/self/fd/3` →
+ * every Bash tool call fails (or falls back to
+ * `dangerouslyDisableSandbox`, defeating isolation). Hit every MACF
+ * agent before macf#200.
+ *
+ * Claude Code's `sandbox.filesystem.allowRead` takes **literal path
+ * prefixes**, not globs. Bare `/proc/self/fd` matches every
+ * descriptor at any depth (`/proc/self/fd/3`, `/proc/self/fd/4`, ...)
+ * via prefix semantics. An earlier draft used `/proc/self/fd/**` on
+ * the assumption it was a glob; it isn't — the double-star was
+ * treated as a literal and didn't match. See macf#208 for the
+ * empirical surfacing of the bug.
+ */
+export const SANDBOX_FD_READ_PATTERN = '/proc/self/fd';
+/**
+ * Read `.claude/settings.json`'s `sandbox.filesystem.allowRead` array
+ * as a list of strings. Returns an empty array if the file doesn't
+ * exist or the nested shape is absent/alien. Throws on malformed
+ * JSON — consistent with `installSandboxFdAllowRead`'s posture (we
+ * don't silently treat a broken file as "no entries"; that would
+ * mask operator-authored state).
+ *
+ * Used by `macf doctor` (macf#202) to report whether the workspace
+ * has the `/proc/self/fd` prefix pattern without duplicating the
+ * JSON-read + deep-narrow logic in two places.
+ */
+export function getSandboxAllowRead(workspaceDir) {
+    const absDir = resolve(workspaceDir);
+    const path = join(absDir, '.claude', 'settings.json');
+    const settings = readSettings(path);
+    const sandboxRaw = settings['sandbox'] ?? {};
+    const filesystemRaw = sandboxRaw['filesystem'] ?? {};
+    const list = filesystemRaw['allowRead'];
+    if (!Array.isArray(list))
+        return [];
+    return list.filter((v) => typeof v === 'string');
+}
+/**
+ * Legacy MACF-managed patterns that earlier CLI versions wrote to
+ * `allowRead`. Dropped from the array before installing the current
+ * `SANDBOX_FD_READ_PATTERN` — the `/**` glob suffix was treated
+ * literally by the sandbox (not as a glob) and silently didn't
+ * match, leaving the fd read denied. See macf#208.
+ */
+const MACF_LEGACY_FD_PATTERNS = [
+    '/proc/self/fd/**',
+];
+/**
+ * Install (or refresh) the `/proc/self/fd` entry in
+ * `.claude/settings.json`'s `sandbox.filesystem.allowRead` array.
+ * Creates each nested key if absent. Idempotent — repeated calls
+ * don't duplicate. Operator-authored `allowRead` entries are
+ * preserved; stale MACF-managed patterns (see
+ * MACF_LEGACY_FD_PATTERNS) are dropped before the current pattern
+ * is installed.
+ *
+ * Opt-out: if `MACF_SANDBOX_FD_FIX_SKIP` is `1` or `true` at call
+ * time (during `macf init` / `macf update`), no change is made. Lets
+ * operators manage their own sandbox block entirely. Accepts both
+ * shapes to stay aligned with `MACF_OTEL_DISABLED` (see
+ * `claude-sh.ts` — same family of opt-out env knobs).
+ *
+ * See macf#200 (original fd-deny bug), macf#208 (pattern-literal fix).
+ */
+export function installSandboxFdAllowRead(workspaceDir) {
+    const skip = process.env['MACF_SANDBOX_FD_FIX_SKIP'];
+    if (skip === '1' || skip === 'true')
+        return;
+    const absDir = resolve(workspaceDir);
+    const claudeDir = join(absDir, '.claude');
+    const path = join(claudeDir, 'settings.json');
+    mkdirSync(claudeDir, { recursive: true });
+    const settings = readSettings(path);
+    // Narrow the deep-nested read; operator-authored alien shapes at
+    // any level default to a fresh empty branch rather than throwing.
+    const sandboxRaw = settings['sandbox'] ?? {};
+    const filesystemRaw = sandboxRaw['filesystem'] ?? {};
+    const existingAllow = Array.isArray(filesystemRaw['allowRead'])
+        ? filesystemRaw['allowRead'].filter((v) => typeof v === 'string')
+        : [];
+    // Preserve operator-authored entries; drop any known-legacy MACF
+    // patterns so the workspace ends up with exactly the current one.
+    const preserved = existingAllow.filter((entry) => !MACF_LEGACY_FD_PATTERNS.includes(entry));
+    // Idempotent short-circuit: only skip if the current pattern is
+    // already present AND there's no legacy pattern to clean up.
+    if (preserved.length === existingAllow.length && preserved.includes(SANDBOX_FD_READ_PATTERN)) {
+        return;
+    }
+    const allowRead = preserved.includes(SANDBOX_FD_READ_PATTERN)
+        ? preserved
+        : [...preserved, SANDBOX_FD_READ_PATTERN];
+    const updated = {
+        ...settings,
+        sandbox: {
+            ...sandboxRaw,
+            filesystem: {
+                ...filesystemRaw,
+                allowRead,
+            },
+        },
+    };
+    writeFileSync(path, JSON.stringify(updated, null, 2) + '\n');
+}
+/**
+ * Pattern that identifies MACF-managed skill-permission entries on
+ * refresh. Any pattern starting with `Skill(macf-agent:` is
+ * considered ours; mismatches are preserved verbatim.
+ */
+const MACF_SKILL_PATTERN_PREFIX = 'Skill(macf-agent:';
+/**
+ * Install (or refresh) the MACF plugin-skill pre-approval entries in
+ * `.claude/settings.json`'s `permissions.allow` array. Idempotent:
+ * stale entries (e.g. from a prior CLI version that listed a since-
+ * removed skill) are dropped + replaced with the current set.
+ * Non-MACF entries in `permissions.allow` are preserved.
+ *
+ * Creates the `.claude/` directory + settings.json if missing.
+ */
+export function installPluginSkillPermissions(workspaceDir) {
+    const absDir = resolve(workspaceDir);
+    const claudeDir = join(absDir, '.claude');
+    const path = join(claudeDir, 'settings.json');
+    mkdirSync(claudeDir, { recursive: true });
+    const settings = readSettings(path);
+    const existingAllow = Array.isArray(settings['permissions'] && settings['permissions']['allow'])
+        ? (settings['permissions'].allow)
+        : [];
+    // Drop any prior Skill(macf-agent:*) entries so we install the
+    // current list fresh (handles "skill was removed in plugin v0.1.N"
+    // case — otherwise the stale pre-approval lingers forever).
+    const preserved = existingAllow.filter((entry) => typeof entry !== 'string' || !entry.startsWith(MACF_SKILL_PATTERN_PREFIX));
+    const allow = [...preserved, ...PLUGIN_SKILL_PERMISSIONS];
+    const existingPermissions = settings['permissions'] ?? {};
+    const updated = {
+        ...settings,
+        permissions: {
+            ...existingPermissions,
+            allow,
+        },
+    };
+    writeFileSync(path, JSON.stringify(updated, null, 2) + '\n');
+}
+/**
+ * Install (or refresh) the MACF PreToolUse hook entry for
+ * `check-gh-token.sh` in `<workspaceDir>/.claude/settings.json`.
+ * Creates the `.claude/` directory and the file if either is missing.
+ *
+ * Idempotent: repeated calls don't duplicate the entry.
+ */
+export function installGhTokenHook(workspaceDir) {
+    const absDir = resolve(workspaceDir);
+    const claudeDir = join(absDir, '.claude');
+    const path = join(claudeDir, 'settings.json');
+    mkdirSync(claudeDir, { recursive: true });
+    const settings = readSettings(path);
+    const hooks = settings.hooks ?? {};
+    const preToolUse = hooks.PreToolUse ?? [];
+    // Drop any prior MACF-managed entries so we can replace them cleanly
+    // — guards against stale flags (e.g. `--old-flag`) from older CLI
+    // versions. Match by path-end equality so an operator-authored file
+    // with a similar-but-distinct name (e.g. `my-check-gh-token.sh-helper.sh`)
+    // doesn't get misclassified as ours and accidentally clobbered.
+    const preserved = preToolUse.filter((entry) => !entry.hooks.some((h) => isMacfManagedCommand(h.command)));
+    const macfEntry = {
+        matcher: 'Bash',
+        hooks: [{ type: 'command', command: MACF_HOOK_COMMAND }],
+    };
+    const updated = {
+        ...settings,
+        hooks: {
+            ...hooks,
+            PreToolUse: [...preserved, macfEntry],
+        },
+    };
+    writeFileSync(path, JSON.stringify(updated, null, 2) + '\n');
+}
+//# sourceMappingURL=settings-writer.js.map

package/dist/cli/settings-writer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"settings-writer.js","sourceRoot":"","sources":["../../src/cli/settings-writer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAE1C;;;;GAIG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,mCAAmC,CAAC;AAErE;;;;GAIG;AACH,MAAM,kBAAkB,GAAG,mBAAmB,CAAC;AAE/C;;;;;;GAMG;AACH,SAAS,oBAAoB,CAAC,OAAe;IAC3C,iEAAiE;IACjE,6EAA6E;IAC7E,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,QAAQ,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACjE,OAAO,QAAQ,KAAK,kBAAkB,CAAC;AACzC,CAAC;AAqBD,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,4DAA4D,IAAI,KAAM,GAAa,CAAC,OAAO,IAAI;YAC7F,gDAAgD,EAClD,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAsB;IACzD,+BAA+B;IAC/B,+BAA+B;IAC/B,8BAA8B;IAC9B,6BAA6B;CAC9B,CAAC;AAEF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAG,eAAe,CAAC;AAEvD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CAAC,YAAoB;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,aAAa,GAAI,UAAU,CAAC,YAAY,CAAyC,IAAI,EAAE,CAAC;IAC9F,MAAM,IAAI,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,uBAAuB,GAAsB;IACjD,kBAAkB;CACnB,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,yBAAyB,CAAC,YAAoB;IAC5D,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IACrD,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO;IAE5C,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,iEAAiE;IACjE,kEAAkE;IAClE,MAAM,UAAU,GAAI,QAAQ,CAAC,SAAS,CAAyC,IAAI,EAAE,CAAC;IACtF,MAAM,aAAa,GAAI,UAAU,CAAC,YAAY,CAAyC,IAAI,EAAE,CAAC;IAC9F,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;QAC7D,CAAC,CAAE,aAAa,CAAC,WAAW,CAAwB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QACtG,CAAC,CAAC,EAAE,CAAC;IAEP,iEAAiE;IACjE,kEAAkE;IAClE,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CACpC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,uBAAuB,CAAC,QAAQ,CAAC,KAAK,CAAC,CACpD,CAAC;IAEF,gEAAgE;IAChE,6DAA6D;IAC7D,IAAI,SAAS,CAAC,MAAM,KAAK,aAAa,CAAC,MAAM,IAAI,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;QAC7F,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC;QAC3D,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,CAAC,GAAG,SAAS,EAAE,uBAAuB,CAAC,CAAC;IAE5C,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,OAAO,EAAE;YACP,GAAG,UAAU;YACb,UAAU,EAAE;gBACV,GAAG,aAAa;gBAChB,SAAS;aACV;SACF;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;GAIG;AACH,MAAM,yBAAyB,GAAG,mBAAmB,CAAC;AAEtD;;;;;;;;GAQG;AACH,MAAM,UAAU,6BAA6B,CAAC,YAAoB;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,aAAa,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAK,QAAQ,CAAC,aAAa,CAAyB,CAAC,OAAO,CAAC,CAAC;QACvH,CAAC,CAAC,CAAE,QAAQ,CAAC,aAAa,CAAkC,CAAC,KAAK,CAAC;QACnE,CAAC,CAAC,EAAE,CAAC;IAEP,+DAA+D;IAC/D,mEAAmE;IACnE,4DAA4D;IAC5D,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CACpC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,yBAAyB,CAAC,CACrF,CAAC;IAEF,MAAM,KAAK,GAAa,CAAC,GAAG,SAAS,EAAE,GAAG,wBAAwB,CAAC,CAAC;IAEpE,MAAM,mBAAmB,GAAI,QAAQ,CAAC,aAAa,CAAyC,IAAI,EAAE,CAAC;IACnG,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,WAAW,EAAE;YACX,GAAG,mBAAmB;YACtB,KAAK;SACN;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAoB;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IAE9C,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;IAE1C,qEAAqE;IACrE,kEAAkE;IAClE,oEAAoE;IACpE,2EAA2E;IAC3E,gEAAgE;IAChE,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CACjC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CACrE,CAAC;IAEF,MAAM,SAAS,GAAc;QAC3B,OAAO,EAAE,MAAM;QACf,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;KACzD,CAAC;IAEF,MAAM,OAAO,GAAa;QACxB,GAAG,QAAQ;QACX,KAAK,EAAE;YACL,GAAG,KAAK;YACR,UAAU,EAAE,CAAC,GAAG,SAAS,EAAE,SAAS,CAAC;SACtC;KACF,CAAC;IAEF,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/D,CAAC"}

package/dist/cli/version-resolver.d.ts ADDED Viewed

@@ -0,0 +1,73 @@
+/**
+ * Resolves latest stable versions for the three components pinned in
+ * macf-agent.json: cli, plugin, actions. Each has a network fetcher
+ * and a hardcoded fallback used when the lookup fails.
+ *
+ * Distinguishes:
+ *   - ok            → value fetched successfully
+ *   - not_published → HTTP 404 (package/release doesn't exist yet)
+ *   - network_error → fetch threw (connection refused, timeout, DNS, ...)
+ *   - rate_limited  → HTTP 403/429 from GitHub API, typically anon
+ *                     rate-limit (60 req/h). See authHeaders() — if
+ *                     `GH_TOKEN` is set in the environment the fetcher
+ *                     uses it automatically (5000 req/h), so this
+ *                     status fires only when anon AND quota-exhausted.
+ *   - invalid_response → HTTP 200 but unparseable/schema-invalid
+ *
+ * The caller can produce clearer warnings than the old single "network
+ * fetch failed" message. GitHub fetchers fall back from /releases/latest
+ * to /tags so bare-tag versioning (no GitHub Release object) still works.
+ */
+export interface VersionSet {
+    readonly cli: string;
+    readonly plugin: string;
+    readonly actions: string;
+}
+export type FetchStatus = 'ok' | 'not_published' | 'network_error' | 'rate_limited' | 'invalid_response';
+export interface FetchResult {
+    readonly status: FetchStatus;
+    readonly value: string | null;
+}
+export interface ResolvedVersions {
+    readonly versions: VersionSet;
+    readonly sources: {
+        readonly cli: FetchStatus;
+        readonly plugin: FetchStatus;
+        readonly actions: FetchStatus;
+    };
+}
+export declare const FALLBACK_VERSIONS: VersionSet;
+export declare const SEMVER_PATTERN: RegExp;
+export declare const ACTIONS_TAG_PATTERN: RegExp;
+export declare function isValidSemver(v: string): boolean;
+export declare function isValidActionsRef(v: string): boolean;
+/**
+ * Compare two semver strings (x.y.z) numerically. Returns negative if a < b,
+ * zero if equal, positive if a > b. Used to pick the highest tag from a list.
+ */
+export declare function compareSemver(a: string, b: string): number;
+/**
+ * Fetch latest CLI version from npm registry.
+ */
+export declare function fetchLatestCliVersion(): Promise<FetchResult>;
+/**
+ * Fetch latest plugin version. Tries /releases/latest first, falls back
+ * to /tags if no release exists (our marketplace uses bare tags).
+ */
+export declare function fetchLatestPluginVersion(): Promise<FetchResult>;
+/**
+ * Fetch latest actions version. Tries /releases/latest first, falls back
+ * to /tags. Returns major-only tag (v1.2.3 → v1) to match floating-major pins.
+ */
+export declare function fetchLatestActionsVersion(): Promise<FetchResult>;
+/**
+ * Resolve latest versions for all three components, falling back on error.
+ * All three fetches run in parallel.
+ */
+export declare function resolveLatestVersions(): Promise<ResolvedVersions>;
+/**
+ * Human-readable message for a non-ok fetch status. Used by callers to
+ * print actionable warnings instead of the generic "network fetch failed".
+ */
+export declare function statusMessage(component: string, status: FetchStatus): string;
+//# sourceMappingURL=version-resolver.d.ts.map

package/dist/cli/version-resolver.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"version-resolver.d.ts","sourceRoot":"","sources":["../../src/cli/version-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,MAAM,WAAW,GAAG,IAAI,GAAG,eAAe,GAAG,eAAe,GAAG,cAAc,GAAG,kBAAkB,CAAC;AA+BzG,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE;QAChB,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC;QAC1B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;QAC7B,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAC;KAC/B,CAAC;CACH;AAED,eAAO,MAAM,iBAAiB,EAAE,UAI/B,CAAC;AAEF,eAAO,MAAM,cAAc,QAAoB,CAAC;AAChD,eAAO,MAAM,mBAAmB,QAAuB,CAAC;AAExD,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAEhD;AAED,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAEpD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAW1D;AA4BD;;GAEG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,WAAW,CAAC,CAgBlE;AAED;;;GAGG;AACH,wBAAsB,wBAAwB,IAAI,OAAO,CAAC,WAAW,CAAC,CA6BrE;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CAAC,WAAW,CAAC,CA2BtE;AAED;;;GAGG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,gBAAgB,CAAC,CAmBvE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,GAAG,MAAM,CAQ5E"}

package/dist/cli/version-resolver.js ADDED Viewed

@@ -0,0 +1,238 @@
+/**
+ * Resolves latest stable versions for the three components pinned in
+ * macf-agent.json: cli, plugin, actions. Each has a network fetcher
+ * and a hardcoded fallback used when the lookup fails.
+ *
+ * Distinguishes:
+ *   - ok            → value fetched successfully
+ *   - not_published → HTTP 404 (package/release doesn't exist yet)
+ *   - network_error → fetch threw (connection refused, timeout, DNS, ...)
+ *   - rate_limited  → HTTP 403/429 from GitHub API, typically anon
+ *                     rate-limit (60 req/h). See authHeaders() — if
+ *                     `GH_TOKEN` is set in the environment the fetcher
+ *                     uses it automatically (5000 req/h), so this
+ *                     status fires only when anon AND quota-exhausted.
+ *   - invalid_response → HTTP 200 but unparseable/schema-invalid
+ *
+ * The caller can produce clearer warnings than the old single "network
+ * fetch failed" message. GitHub fetchers fall back from /releases/latest
+ * to /tags so bare-tag versioning (no GitHub Release object) still works.
+ */
+/**
+ * GitHub API headers. Uses `GH_TOKEN` from env if present — raises the
+ * anonymous 60 req/h limit to 5000 req/h. Primary #186 fix: operators
+ * on shared IPs (Tailscale, CI runners) were burning anon quota across
+ * sessions + getting opaque "invalid_response" on subsequent runs.
+ * `claude.sh` exports GH_TOKEN before `macf update` invocations, so
+ * the token is available in the typical run path.
+ */
+function githubHeaders() {
+    const headers = { 'Accept': 'application/vnd.github+json' };
+    const token = process.env['GH_TOKEN'];
+    if (token !== undefined && token !== '' && token !== 'null') {
+        headers['Authorization'] = `Bearer ${token}`;
+    }
+    return headers;
+}
+/**
+ * Map a non-ok GitHub API response to the appropriate FetchStatus.
+ * 403/429 (rate-limit) and 401 (bad auth) both surface as `rate_limited`
+ * — operator-facing warning distinguishes them from other schema/5xx
+ * errors that come back as `invalid_response`.
+ */
+function classifyGithubError(status) {
+    if (status === 404)
+        return 'not_published';
+    if (status === 401 || status === 403 || status === 429)
+        return 'rate_limited';
+    return 'invalid_response';
+}
+export const FALLBACK_VERSIONS = {
+    cli: '0.2.0-rc.0',
+    plugin: '0.1.0',
+    actions: 'v1',
+};
+export const SEMVER_PATTERN = /^\d+\.\d+\.\d+$/;
+export const ACTIONS_TAG_PATTERN = /^v\d+(\.\d+){0,2}$/;
+export function isValidSemver(v) {
+    return SEMVER_PATTERN.test(v);
+}
+export function isValidActionsRef(v) {
+    return ACTIONS_TAG_PATTERN.test(v) || v === 'main';
+}
+/**
+ * Compare two semver strings (x.y.z) numerically. Returns negative if a < b,
+ * zero if equal, positive if a > b. Used to pick the highest tag from a list.
+ */
+export function compareSemver(a, b) {
+    const parse = (v) => {
+        const m = /^v?(\d+)\.(\d+)\.(\d+)$/.exec(v);
+        if (!m)
+            return [0, 0, 0];
+        return [Number.parseInt(m[1], 10), Number.parseInt(m[2], 10), Number.parseInt(m[3], 10)];
+    };
+    const [aMaj, aMin, aPat] = parse(a);
+    const [bMaj, bMin, bPat] = parse(b);
+    if (aMaj !== bMaj)
+        return aMaj - bMaj;
+    if (aMin !== bMin)
+        return aMin - bMin;
+    return aPat - bPat;
+}
+/**
+ * Fetch the highest semver tag from a GitHub repo's /tags list.
+ * Returns the tag name (with leading 'v' if present) or null with reason.
+ */
+async function fetchHighestTag(repo) {
+    try {
+        const res = await fetch(`https://api.github.com/repos/${repo}/tags`, {
+            headers: githubHeaders(),
+        });
+        if (!res.ok)
+            return { status: classifyGithubError(res.status), value: null };
+        const data = await res.json();
+        if (!Array.isArray(data))
+            return { status: 'invalid_response', value: null };
+        const semverTags = data
+            .map(t => typeof t.name === 'string' ? t.name : null)
+            .filter((n) => n !== null && /^v?\d+\.\d+\.\d+$/.test(n));
+        if (semverTags.length === 0)
+            return { status: 'not_published', value: null };
+        semverTags.sort((a, b) => compareSemver(b, a)); // descending
+        return { status: 'ok', value: semverTags[0] };
+    }
+    catch {
+        return { status: 'network_error', value: null };
+    }
+}
+/**
+ * Fetch latest CLI version from npm registry.
+ */
+export async function fetchLatestCliVersion() {
+    try {
+        const res = await fetch('https://registry.npmjs.org/@macf/cli', {
+            headers: { 'Accept': 'application/json' },
+        });
+        if (res.status === 404)
+            return { status: 'not_published', value: null };
+        if (!res.ok)
+            return { status: 'invalid_response', value: null };
+        const data = await res.json();
+        const latest = data['dist-tags']?.latest;
+        if (typeof latest !== 'string' || !isValidSemver(latest)) {
+            return { status: 'invalid_response', value: null };
+        }
+        return { status: 'ok', value: latest };
+    }
+    catch {
+        return { status: 'network_error', value: null };
+    }
+}
+/**
+ * Fetch latest plugin version. Tries /releases/latest first, falls back
+ * to /tags if no release exists (our marketplace uses bare tags).
+ */
+export async function fetchLatestPluginVersion() {
+    const repo = 'groundnuty/macf-marketplace';
+    // Try /releases/latest first
+    try {
+        const res = await fetch(`https://api.github.com/repos/${repo}/releases/latest`, {
+            headers: githubHeaders(),
+        });
+        if (res.ok) {
+            const data = await res.json();
+            const tag = data.tag_name;
+            if (typeof tag === 'string') {
+                const semver = tag.replace(/^v/, '');
+                if (isValidSemver(semver))
+                    return { status: 'ok', value: semver };
+            }
+            return { status: 'invalid_response', value: null };
+        }
+        if (res.status !== 404)
+            return { status: classifyGithubError(res.status), value: null };
+        // fall through to /tags (404 = no Release object; marketplace uses bare tags)
+    }
+    catch {
+        return { status: 'network_error', value: null };
+    }
+    // Fallback: /tags
+    const tagsResult = await fetchHighestTag(repo);
+    if (tagsResult.status !== 'ok' || !tagsResult.value)
+        return tagsResult;
+    const semver = tagsResult.value.replace(/^v/, '');
+    if (!isValidSemver(semver))
+        return { status: 'invalid_response', value: null };
+    return { status: 'ok', value: semver };
+}
+/**
+ * Fetch latest actions version. Tries /releases/latest first, falls back
+ * to /tags. Returns major-only tag (v1.2.3 → v1) to match floating-major pins.
+ */
+export async function fetchLatestActionsVersion() {
+    const repo = 'groundnuty/macf-actions';
+    try {
+        const res = await fetch(`https://api.github.com/repos/${repo}/releases/latest`, {
+            headers: githubHeaders(),
+        });
+        if (res.ok) {
+            const data = await res.json();
+            const tag = data.tag_name;
+            if (typeof tag === 'string' && isValidActionsRef(tag)) {
+                const m = /^v(\d+)/.exec(tag);
+                return { status: 'ok', value: m ? `v${m[1]}` : tag };
+            }
+            return { status: 'invalid_response', value: null };
+        }
+        if (res.status !== 404)
+            return { status: classifyGithubError(res.status), value: null };
+    }
+    catch {
+        return { status: 'network_error', value: null };
+    }
+    // Fallback: /tags
+    const tagsResult = await fetchHighestTag(repo);
+    if (tagsResult.status !== 'ok' || !tagsResult.value)
+        return tagsResult;
+    const m = /^v(\d+)/.exec(tagsResult.value);
+    if (!m)
+        return { status: 'invalid_response', value: null };
+    return { status: 'ok', value: `v${m[1]}` };
+}
+/**
+ * Resolve latest versions for all three components, falling back on error.
+ * All three fetches run in parallel.
+ */
+export async function resolveLatestVersions() {
+    const [cli, plugin, actions] = await Promise.all([
+        fetchLatestCliVersion(),
+        fetchLatestPluginVersion(),
+        fetchLatestActionsVersion(),
+    ]);
+    return {
+        versions: {
+            cli: cli.value ?? FALLBACK_VERSIONS.cli,
+            plugin: plugin.value ?? FALLBACK_VERSIONS.plugin,
+            actions: actions.value ?? FALLBACK_VERSIONS.actions,
+        },
+        sources: {
+            cli: cli.status,
+            plugin: plugin.status,
+            actions: actions.status,
+        },
+    };
+}
+/**
+ * Human-readable message for a non-ok fetch status. Used by callers to
+ * print actionable warnings instead of the generic "network fetch failed".
+ */
+export function statusMessage(component, status) {
+    switch (status) {
+        case 'ok': return `${component}: ok`;
+        case 'not_published': return `${component}: no published release found (using default)`;
+        case 'network_error': return `${component}: network fetch failed (using default)`;
+        case 'rate_limited': return `${component}: GitHub API rate-limited or unauthorized — set GH_TOKEN to raise the anon 60 req/h limit (using default)`;
+        case 'invalid_response': return `${component}: unexpected response format (using default)`;
+    }
+}
+//# sourceMappingURL=version-resolver.js.map

package/dist/cli/version-resolver.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"version-resolver.js","sourceRoot":"","sources":["../../src/cli/version-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAUH;;;;;;;GAOG;AACH,SAAS,aAAa;IACpB,MAAM,OAAO,GAA2B,EAAE,QAAQ,EAAE,6BAA6B,EAAE,CAAC;IACpF,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACtC,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,EAAE,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QAC5D,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,KAAK,EAAE,CAAC;IAC/C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,mBAAmB,CAAC,MAAc;IACzC,IAAI,MAAM,KAAK,GAAG;QAAE,OAAO,eAAe,CAAC;IAC3C,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG;QAAE,OAAO,cAAc,CAAC;IAC9E,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAgBD,MAAM,CAAC,MAAM,iBAAiB,GAAe;IAC3C,GAAG,EAAE,YAAY;IACjB,MAAM,EAAE,OAAO;IACf,OAAO,EAAE,IAAI;CACd,CAAC;AAEF,MAAM,CAAC,MAAM,cAAc,GAAG,iBAAiB,CAAC;AAChD,MAAM,CAAC,MAAM,mBAAmB,GAAG,oBAAoB,CAAC;AAExD,MAAM,UAAU,aAAa,CAAC,CAAS;IACrC,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,CAAS;IACzC,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC;AACrD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,CAAS,EAAE,CAAS;IAChD,MAAM,KAAK,GAAG,CAAC,CAAS,EAA4B,EAAE;QACpD,MAAM,CAAC,GAAG,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5C,IAAI,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QACzB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC9F,CAAC,CAAC;IACF,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACpC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACpC,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,GAAG,IAAI,CAAC;IACtC,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,GAAG,IAAI,CAAC;IACtC,OAAO,IAAI,GAAG,IAAI,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,eAAe,CAAC,IAAY;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gCAAgC,IAAI,OAAO,EAAE;YACnE,OAAO,EAAE,aAAa,EAAE;SACzB,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAC7E,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA+B,CAAC;QAC3D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAE7E,MAAM,UAAU,GAAG,IAAI;aACpB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;aACpD,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,KAAK,IAAI,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAEzE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAE7E,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa;QAC7D,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,CAAE,EAAE,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,sCAAsC,EAAE;YAC9D,OAAO,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE;SAC1C,CAAC,CAAC;QACH,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACxE,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QAChE,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA2C,CAAC;QACvE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QACzC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;YACzD,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACrD,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClD,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB;IAC5C,MAAM,IAAI,GAAG,6BAA6B,CAAC;IAE3C,6BAA6B;IAC7B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gCAAgC,IAAI,kBAAkB,EAAE;YAC9E,OAAO,EAAE,aAAa,EAAE;SACzB,CAAC,CAAC;QACH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA2B,CAAC;YACvD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;YAC1B,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;gBACrC,IAAI,aAAa,CAAC,MAAM,CAAC;oBAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;YACpE,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACrD,CAAC;QACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACxF,8EAA8E;IAChF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClD,CAAC;IAED,kBAAkB;IAClB,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK;QAAE,OAAO,UAAU,CAAC;IACvE,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAClD,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAC/E,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AACzC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB;IAC7C,MAAM,IAAI,GAAG,yBAAyB,CAAC;IAEvC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gCAAgC,IAAI,kBAAkB,EAAE;YAC9E,OAAO,EAAE,aAAa,EAAE;SACzB,CAAC,CAAC;QACH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA2B,CAAC;YACvD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;YAC1B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,iBAAiB,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtD,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;YACvD,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACrD,CAAC;QACD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAC1F,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAClD,CAAC;IAED,kBAAkB;IAClB,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK;QAAE,OAAO,UAAU,CAAC;IACvE,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC3C,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IAC3D,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAC/C,qBAAqB,EAAE;QACvB,wBAAwB,EAAE;QAC1B,yBAAyB,EAAE;KAC5B,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ,EAAE;YACR,GAAG,EAAE,GAAG,CAAC,KAAK,IAAI,iBAAiB,CAAC,GAAG;YACvC,MAAM,EAAE,MAAM,CAAC,KAAK,IAAI,iBAAiB,CAAC,MAAM;YAChD,OAAO,EAAE,OAAO,CAAC,KAAK,IAAI,iBAAiB,CAAC,OAAO;SACpD;QACD,OAAO,EAAE;YACP,GAAG,EAAE,GAAG,CAAC,MAAM;YACf,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,OAAO,CAAC,MAAM;SACxB;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,MAAmB;IAClE,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,SAAS,MAAM,CAAC;QACrC,KAAK,eAAe,CAAC,CAAC,OAAO,GAAG,SAAS,8CAA8C,CAAC;QACxF,KAAK,eAAe,CAAC,CAAC,OAAO,GAAG,SAAS,wCAAwC,CAAC;QAClF,KAAK,cAAc,CAAC,CAAC,OAAO,GAAG,SAAS,2GAA2G,CAAC;QACpJ,KAAK,kBAAkB,CAAC,CAAC,OAAO,GAAG,SAAS,8CAA8C,CAAC;IAC7F,CAAC;AACH,CAAC"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Multi-Agent Coordination Framework (MACF) CLI.
+ *
+ * The primary consumption shape of this package is as a binary (`macf`
+ * and `macf-plugin-cli` — see the `bin` field in package.json). This
+ * barrel exposes a small programmatic surface for tooling that needs
+ * to invoke CLI helpers directly (tests, integration harnesses).
+ *
+ * Shared types + functions (errors, logger, config, registry, certs,
+ * etc.) live in `@groundnuty/macf-core` and should be imported from
+ * there directly, not re-exported here.
+ */
+export { MACF_HOOK_COMMAND, PLUGIN_SKILL_PERMISSIONS, SANDBOX_FD_READ_PATTERN, getSandboxAllowRead, installGhTokenHook, installPluginSkillPermissions, installSandboxFdAllowRead, } from './cli/settings-writer.js';
+export { readAgentConfig, loadAllAgents, readAgentsIndex, writeAgentConfig, agentCertPath, agentKeyPath, caDir, caCertPath, caKeyPath, tokenSourceFromConfig, } from './cli/config.js';
+export type { MacfAgentConfig, VersionPins } from './cli/config.js';
+export { copyCanonicalRules, copyCanonicalScripts, findCliPackageRoot } from './cli/rules.js';
+export { MACF_REQUIRED_PERMISSIONS, diffPermissions, checkSandboxFdAllowRead } from './cli/commands/doctor.js';
+export type { RequiredPermission, DoctorFinding, SandboxFdCheck } from './cli/commands/doctor.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EACxB,uBAAuB,EACvB,mBAAmB,EACnB,kBAAkB,EAClB,6BAA6B,EAC7B,yBAAyB,GAC1B,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EACL,eAAe,EACf,aAAa,EACb,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,YAAY,EACZ,KAAK,EACL,UAAU,EACV,SAAS,EACT,qBAAqB,GACtB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAGpE,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAG9F,OAAO,EAAE,yBAAyB,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AAC/G,YAAY,EAAE,kBAAkB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Multi-Agent Coordination Framework (MACF) CLI.
+ *
+ * The primary consumption shape of this package is as a binary (`macf`
+ * and `macf-plugin-cli` — see the `bin` field in package.json). This
+ * barrel exposes a small programmatic surface for tooling that needs
+ * to invoke CLI helpers directly (tests, integration harnesses).
+ *
+ * Shared types + functions (errors, logger, config, registry, certs,
+ * etc.) live in `@groundnuty/macf-core` and should be imported from
+ * there directly, not re-exported here.
+ */
+// Settings-writer helpers — used by `macf init` / `macf update` /
+// `macf rules refresh` to seed workspace `.claude/settings.json`.
+export { MACF_HOOK_COMMAND, PLUGIN_SKILL_PERMISSIONS, SANDBOX_FD_READ_PATTERN, getSandboxAllowRead, installGhTokenHook, installPluginSkillPermissions, installSandboxFdAllowRead, } from './cli/settings-writer.js';
+// Config resolution — `macf-agent.json` reader + workspace discovery.
+export { readAgentConfig, loadAllAgents, readAgentsIndex, writeAgentConfig, agentCertPath, agentKeyPath, caDir, caCertPath, caKeyPath, tokenSourceFromConfig, } from './cli/config.js';
+// Canonical rules distribution — `macf rules refresh` entrypoint.
+export { copyCanonicalRules, copyCanonicalScripts, findCliPackageRoot } from './cli/rules.js';
+// Doctor check — programmatic access for external verification tools.
+export { MACF_REQUIRED_PERMISSIONS, diffPermissions, checkSandboxFdAllowRead } from './cli/commands/doctor.js';
+//# sourceMappingURL=index.js.map